Medusa Ransomware exploits GoAnywhere Vulnerability: A Deep Dive for Security Professionals
The Medusa ransomware group, specifically the affiliate tracked as storm-1175, has been actively exploiting a critical vulnerability in GoAnywhere Managed File Transfer (MFT) software since at least September 11, 2025. This isn’t a theoretical threat; it’s a real-world campaign impacting organizations across the United States,including critical infrastructure. Let’s break down what you need to know to protect your systems.
The Vulnerability & Initial Access
Microsoft recently confirmed reports from WatchTowr Labs detailing the exploitation of a deserialization vulnerability (CVE-2025-10035) within GoAnywhere MFT.This vulnerability allowed Storm-1175 to gain initial access to targeted networks. Essentially, the attackers found a way to trick the software into executing malicious code.
Here’s how the attack unfolds, according to Microsoft’s investigation:
* Exploitation of CVE-2025-10035: The zero-day vulnerability in GoAnywhere MFT served as the initial entry point.
* RMM Tool Abuse: Once inside, the attackers leveraged remote monitoring and management (RMM) tools – specifically SimpleHelp and MeshAgent – to establish a persistent foothold. This means they could maintain access even if initial vulnerabilities were patched.
* Network reconnaissance: Using Netscan, the attackers mapped out the compromised network, identifying valuable assets and potential targets.
* Lateral Movement: They then used the Microsoft Remote desktop Connection client (mtsc.exe) to move laterally, spreading throughout your network to access more systems.
Data Exfiltration & Ransomware Deployment
The attackers didn’t just stop at gaining access.They actively sought to steal your data and encrypt your systems.
* Data Exfiltration with Rclone: Rclone was deployed in at least one compromised environment to exfiltrate sensitive files. This means your data was copied and taken offsite before encryption.
* medusa Ransomware Payload: the Medusa ransomware payload was deployed,encrypting files and rendering them inaccessible without a decryption key.
The Broader Threat Landscape: Storm-1175 & Medusa
This isn’t an isolated incident. Storm-1175 is a prolific threat actor with a history of targeting organizations with multiple ransomware families.
* Critical Infrastructure Impact: In March, the Cybersecurity and infrastructure Security Agency (CISA), along with the FBI and MS-ISAC, issued a joint advisory warning that Medusa ransomware had already impacted over 300 critical infrastructure organizations in the U.S.
* Linked to Other Ransomware: Microsoft has linked Storm-1175 to attacks exploiting a VMware ESXi authentication bypass vulnerability in July 2024. These attacks led to the deployment of Akira and Black Basta ransomware, demonstrating the group’s versatility.
What You Need to Do now: Mitigation & Prevention
Protecting your organization requires immediate action.Here’s what Microsoft and Fortra recommend:
* Upgrade GoAnywhere MFT: The most critical step is to upgrade to the latest version of GoAnywhere MFT. Patches address the exploited vulnerability.
* Log File Inspection: Fortra advises inspecting your goanywhere MFT log files for stack trace errors containing the string “SignedObject.getObject.” This can indicate a potential compromise.
* Review RMM Tool Access: Carefully review access controls and activity logs for your RMM tools (SimpleHelp, MeshAgent, and others). Ensure only authorized personnel have access.
* Strengthen RDP Security: Secure your Remote Desktop Protocol (RDP) access.Implement multi-factor authentication (MFA) and restrict access to only necessary personnel.
* Network Segmentation: Segment your network to limit the blast radius of a potential breach. This can prevent attackers from moving laterally as easily.
* Regular Backups: Maintain regular, tested backups of your critical data. This is your last line of defense against data loss.
Staying Informed
The threat landscape is constantly evolving. Stay informed about the latest threats and vulnerabilities by following these resources:
* microsoft Security Blog: [https://www[https://www[https://www[https://www
